Cedar Springs Public School District
Bylaws & Policies
 

8321 - CRIMINAL JUSTICE INFORMATION SECURITY (NON-CRIMINAL JUSTICE AGENCY)

The District is required by State law to have the Michigan State Police (MSP) obtain both a State and a Federal Bureau of Investigation (FBI) criminal history record information (CHRI) background check report for all employees of the District and contractors, vendors and their employees who work on a regular and continuous basis in the District. To assure the security, confidentiality, and integrity of the CHRI background check information received from the MSP/FBI, the following standards are established:

 

A.

Sanctions for Non-Compliance

   
 

Employees who fail to comply with this policy and any guidelines issued to implement this policy will be subject to discipline for such violations. Discipline will range from counseling and retraining to discharge, based on the nature and severity of the violation. All violations will be recorded in writing, with the corrective action taken. The Superintendent shall review, approve, sign and date all such corrective actions.

   
 

B.

Local Agency Security Officer (LASO)

   
 

The Human Resources Specialist shall be designated as the District’s Security Officer and shall be responsible for overall implementation of this policy and for data and system security. This shall include:

   
 

1.

ensuring that personnel security screening procedures are being followed as set forth in this policy;

   
 

2.

ensuring that approved and appropriate security measures are in place and working as expected;

   
 

3.

supporting policy compliance and instituting the incident response reporting procedures;

   
 

4.

ensuring that the Michigan State Police are promptly informed of any security incidents involving the abuse or breach of the system and/or access to criminal justice information;

   
 

5.

to the extent applicable, identifying and documenting how District equipment is connected to the Michigan State Police system;

   
 

6.

to the extent applicable, identify who is using the Michigan State Police approved hardware, software and firmware, and ensuring that no unauthorized individuals have access to these items.

   
 

The District’s LASO shall be designated on the appropriate form as prescribed and maintained by the Michigan State Police. A new form shall be submitted every time a new LASO is designated.

   
 

C.

Agency User Agreements

   
 

The District shall enter into any User Agreement required, and future amendments, by the Michigan State Police necessary to access the required CHRI on applicants, volunteers, and all other statutorily required individuals, such as contractors and vendors and their employees assigned to the District. The LASO shall be responsible for the District’s compliance with the terms of any such User Agreement.

   
 

D.

Personnel Security

   
 

All individuals that have access to any criminal justice information shall be subject to the following standards:

   
 

1.

Background Checks - A Michigan (or state of residency if other than Michigan) and a national fingerprint-based criminal history record check shall be conducted within thirty (30) days of assignment to a position with direct access to criminal justice information or with direct responsibility to configure and maintain computer systems and networks with direct access to criminal justice information.

   
 

a.

A felony conviction of any kind will disqualify an individual for access to criminal justice information.

   
 

b.

If any other results/records are returned, the individual shall not be granted access until the LASO reviews and determines access is appropriate. This includes, but is not limited to, any record which indicates the individual may be a fugitive or shows arrests without convictions. Such approval shall be recorded in writing, signed, dated and maintained with the individual’s file.

   
 

c.

Support personnel, Information Technology contractors and vendors, and custodial workers with access to physically secure locations or controlled areas (during criminal justice information processing) are subject to the same clearance standards as other individuals with access, and must be escorted by authorized personnel at all times when in these locations or areas.

   
 

2.

Subsequent Arrest/Conviction - If an individual granted access to criminal justice information is subsequently arrested and/or convicted, access shall be suspended immediately until the matter is reviewed by the LASO to determine if continued access is appropriate. Such determination shall be recorded in writing, signed, dated and maintained with the individual’s file. In the event that the LASO has the arrest/conviction, the Superintendent (if not the designated LASO) shall make the determination. If the Superintendent is also the designated LASO, the determination shall be made by Human Resource Specialist. Except that, as noted in D(1)(a), individuals with a felony conviction of any kind will have their access permanently suspended.

   
 

3.

Public Interest Denial - If the LASO determines that access to criminal justice information by any individual would not be in the public interest, access shall be denied whether that person is seeking access or has previously been granted access. Such decision and reasons shall be in writing, signed, dated and maintained in the individual’s file.

   
 

4.

Approval for Access - All requests for access to criminal justice information shall be as specified and approved by the LASO. Any such designee must be a direct employee of the District. The District must maintain a readily accessible list that includes the names of all LASO approved personnel with access to criminal justice information, as well as the reason for providing each individual access.

   
 

5.

Termination of Employment/Access – Within twenty-four (24) hours of the termination of employment, all access to criminal justice information shall be terminated immediately for that individual, and steps taken to assure security of such information and any systems at the District to access such information.

   
 

6.

Transfer/Re-assignment - When an individual who has been granted access to criminal justice information has been transferred or re-assigned to other duties, the LASO shall determine whether continued access is necessary and appropriate. If not, s/he shall take such steps as necessary to block further access to such information within the twenty-four (24) hour period immediately following the transfer or reassignment.

   
 

7.

Information Technology Contractors and Vendors1 – Prior to granting access to criminal justice information to an IT contractor or vendor, identification must be verified via a Michigan (or state of residency if other than Michigan) and national fingerprint-based criminal history record check. A felony conviction of any kind, as well as any outstanding arrest warrant, will disqualify an IT contractor or vendor for access to criminal justice information. A contractor or vendor with a criminal record o any other kind may be granted access if the LASO determines the nature or severity of the misdemeanor offense(s) does not warrant disqualification. If any other results/records are returned, the individual shall not be granted access until the LASO reviews and determines access is appropriate.

1Non-Information Technology contractors or vendors shall not have access to criminal justice information.

   
 

E.

Media Protection

   
 

Access to digital and physical media in all forms, which contains criminal history background information provided by the Michigan State Police through the statutory record check process, is restricted to authorized individuals only. Only individuals involved in the hiring determination of both District employees and volunteers, shall be authorized to access digital and physical media containing CHRI.

   
 

1.

Media Storage and Access – All digital and physical media shall be stored in a physically secure location or controlled area, such as locked office, locked cabinet or other similarly secure area(s) which can only be accessed by authorized individuals. If such security cannot be reasonably provided, then all digital CHRI background data shall be encrypted. Digital media shall be stored on a District or School server. Storage on a third party server, such as a cloud service, is not permitted. Storage of digital media must conform to the requirements in AG 8321.

   
 

2.

Media Transport –Digital and physical media shall be protected when being transported outside of a controlled area. Only authorized individuals shall transport the media. It shall be directly delivered to the intended person or destination and shall remain in the physical control and custody of the authorized individual at all times during transport. Access shall only be allowed to an authorized individual. To the extent possible, digital media (e.g., hard drives and removable storage devices such as disks, tapes, flash drives and memory cards) shall be either encrypted and/or be password protected during the transport process.

   
 

3.

Media Disposal/Sanitization – When the CHRI background check is no longer needed, the media upon which it is stored shall either be destroyed or sanitized. The LASO and the Superintendent shall approve in writing the media to be affected. This record shall be maintained by the LASO for a period of at least five (5) years. (Note: the regulations do not specify a specific period for maintaining this information. This time period is suggested as it will likely cover most statutes of limitation and can be retained in digital format.)

     
 

a.

Digital Media - Sanitization of the media and deletion of the data shall be accomplished by either overwriting at least three (3) times or by degaussing, prior to disposal or reuse of the media. If the media is inoperable or will not be reused, it shall be destroyed by shredding, cutting, or other suitable method to assure that any data will not be retrievable.

     
 

b.

Physical Media – Disposal of documents, images or other type of physical record of the criminal history information shall be cross-cut shredded or incinerated. Physical security of the documents and their information shall be maintained during the process by authorized individuals. Documents may not be placed in a waste basket or burn bag for unauthorized individuals to later collect and dispose of.

   
 

All disposal/sanitization shall be either conducted or witnessed by authorized personnel to assure that there is no misappropriation of, or unauthorized access to, the data to be deleted. Written documentation of the steps taken to sanitize or destroy the media shall be maintained for ten (10) years, and must include the date as well as the signatures of the person(s) performing and/or witnessing the process. (See also, AG 8321.)

   
 

Mobile Devices – A personally owned mobile device (mobile phone, tablet, laptop, etc.) shall not be authorized to access, process, store or transmit criminal justice information unless the District has established and documented the specific terms and conditions for personally owned mobile devices.

     
 

F.

CHRI Background Check Consent and Documentation

   
 

All individuals requested to complete a fingerprint-based CHRI background check must have given written consent-properly signed and dated—at time of application and be notified fingerprints will be used to check the criminal history records of the FBI, prior to completing a fingerprint-based CHRI background check. The most current and unaltered Livescan form (RI-030) will satisfy this requirement and must be retained. Individuals subject to a fingerprint-based CHRI background check shall be provided the opportunity to complete or challenge the accuracy of the individual's criminal history record.

   
 

Some type of documentation identifying the position for which a fingerprint-based CHRI background check has been obtained must be retained for every CHRI background check conducted, such as an offer letter, employment agreement, new hire checklist, employment contract, volunteer background check form, etc.

   
 

G.

Controlled Area/Physical Protection

   
 

All CHRI obtained from the Michigan State Police pursuant to the statutorily required background checks shall be maintained in a physically secure and controlled area, which shall be a designated office, room or area. The following security precautions will apply to the controlled area:

   
 

1.

Limited unauthorized personnel access to the area during times that criminal justice information is being processed or viewed.

   
 

2.

The controlled area shall be locked at all times when not in use or attended by an authorized individual.

   
 

3.

Information systems devices (e.g., computer screens) and physical documents, when in use, shall be positioned to prevent unauthorized individuals from being able to access or view them.

   
 

4.

Encryption shall be used for digital storage of criminal justice information. (See AG 8321)

     
 

H.

Passwords (Standard Authentication)2

   
 

All authorized individuals with access to computer or systems where processing is conducted or containing criminal justice information must have a unique password to gain access. This password shall not be used for any other account to which the individual has access and shall comply with the following attributes and standards.

   
 

1.

at least eight (8) characters long on all systems

   
 

2.

not be a proper name or a word found in the dictionary

   
 

3.

not be the same as the user identification

   
 

4.

not be displayed when entered into the system (must use feature to hide password as typed)

   
 

5.

not be transmitted in the clear outside of the secure location used for criminal justice information storage and retrieval

   
 

6.

must expire and be changed every ninety (90) days

   
 

7.

renewed password cannot be the same as any prior ten (10) passwords used (See also, AG 8321)

2Applicable to districts that maintain CHRI within a digital system of records, such as a digital database, filing system, record keeping software, spreadsheets, etc. Not applicable if CHRI kept solely via e-mail and/or paper copies.

   
 

I.

Security Awareness Training

   
 

All individuals who are authorized by the District to have access to criminal justice information or to systems which store criminal justice information shall have basic security awareness training within six (6) months of initial assignment/authorization and every two (2) years thereafter. The training shall, to the extent possible, be received through a program approved by the Michigan State Police. A template of the training is provided on the Michigan State Police’s website. At a minimum, the training shall comply with the standards established by the U.S. Department of Justice and Federal Bureau of Investigation for Criminal Justice Information Services. (See AG 8321.)

     
 

J.

Secondary Dissemination of Information

   
 

If criminal history background information received from the Michigan State Police is released to another authorized agency under the sharing provision designated by The Revised School Code, a log of such releases shall be maintained and kept current indicating:

   
 

1.

the date of release;

   
 

2.

record disseminated;

   
 

3.

method of sharing;

   
 

4.

agency personnel that shared the CHRI;

   
 

5.

the agency, and name of the individual at the agency, to which the information was released;

   
 

6.

whether an authorization was obtained.

   
 

A log entry need not be kept if the receiving agency/entity is part of the primary information exchange agreements between the District and the Michigan State Police. A release form consenting to the sharing of CHRI shall be maintained at all relevant times.

   
 

If CHRI is received from another District or outside agency, an Internet Criminal History Access Tool (ICHAT) background check shall be performed to ensure the CHRI is based on personal identifying information, including the individual's name, sex, and date of birth, at a minimum.

     
 

K.

Auditing and Accountability

   
 

The District’s information system shall produce, at the application and/or operating system level, audit records containing sufficient information to establish what events occurred, the sources of the events, and the outcomes of the events. In the event the District does not use an automated system, manual recording of activities shall still take place.

   
 

The following events shall be logged:

     
 

1.

Successful and unsuccessful system log-on attempts.

     
 

2.

Successful and unsuccessful attempts to:

     
 

a.

access permission on a user account, file, directory, or other system resource;

     
 

b.

create permission on a user account, file, directory or other system resource;

     
 

c.

write permission on a user account, file, directory or other system resource;

     
 

d.

delete permission on a user account, file, directory or other system resource;

     
 

e.

change permission on a user account, file, directory or other system resource.

     
 

3.

Successful and unsuccessful attempts to change account passwords.

     
 

4.

Successful and unsuccessful actions by privileged accounts.

     
 

5.

Successful and unsuccessful attempts for users to:

     
 

a.

access the audit log file;

     
 

b.

modify the audit log file;

     
 

c.

destroy the audit log file.

   
 

The following content shall be included with every audited event: 1) date and time of the event; 2) the component of the information system (e.g., software component, hardware component) where the event occurred; 3) type of event; 4) user identity; and 5) outcome (success or failure) of the event.

   
 

Audit Monitoring, Analysis and Reporting – The District shall designate an individual or position to review/analysis information system audit records for indications of inappropriate or unusual activity, to investigate suspicious activity or suspected violations, to report findings to appropriate officials, and to take necessary actions. Audit review/analysis shall be conducted at a minimum once a week, and should be increased if volume indicates an elevated need for audit review.

   
 

Time Stamps – The District’s information system shall provide time stamps for use in audit record generation. The time stamps shall include the date and time values generated by the internal system clocks in the audit records.

   
 

Protection of Audit Information – The District’s information system shall protect audit information and audit tools from modification, deletion and unauthorized access.

Ref: Criminal Justice Information Services - Security Policy (Version 5.5, 2016),
U.S. Dept. of Justice and Federal Bureau of Investigation
Noncriminal Justice Agency Compliance Audit Review, Michigan State
Police, Criminal Justice Information Center, Audit and Training Section
Conducting Criminal Background Checks, Michigan State Police, Criminal
Justice Information Center

Revised 3/14/16
Revised 12/12/16

© Neola 2016